Currently we are blocking all powershell interaction on all clients in our company via the Application Control feature in sophos central.
We are aware that a lot of applications are using powershell for updating their services and stuff like that.
Currently we are missing any option to monitor the activity which process are trying to execute powershell.
In the Logs & Reports section we just see that the user tried to execute the powershell.exe but not which process.
On the Logs of the client itselfe we just get an entry "Powershell got blocked by the administrator".
With Sophos Live Discover we just see successfully executed Powershell commands so that doesnt help us as well.
Does someone know how we can review the processes which tried to execute powershell but got blocked by sophos?
Thanks in forward!
Application control doesn't record that sort of action because the call to powershell is blocked at the PS launch based on it being powershell. AppC doesn't care what the parameters passed are.
If you have XDR, that populates the datalake with the commands set so you could see them through that query system.
Is the idea that you want to allow some applications to call powershell? You aren't going to be able to have that granular control with AppC - it's an all or nothing sort of thing. The application is allowed to launch or not - there is no conditions.
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
thanks for your answer.
But do we see that information in the datalake?
I thought that we only see data in the Live Discover section which got already executed and not blocked.
We are aware that the AppC is a all or nothing setting and we are fine with that.
We just want to see what applications are getting blocked and it could be a potential attack.
If AppC blocks it - the command never runs so no data would be sent.
If your goal is to stop all PS execution and report on every attempt with parameters.... I will have to think of a way to do this. It isn't part of the out-of-the-box configuration we have. Let me mull it over and I will get back to you.
thank you very much for your help!
I'm looking forward to hearing from you soon.
I like Lukas R 's approach. Would be cool to see what is blocked to take a deeper look what or who wanted to start a powershell command. Will probably cause issues during windows updates though.
do you got any new informations for me?
I have been trying to find some way to do this - but each option I have investigated fails out because the block happens before the params are passed to powershell. I don't think this is going to be possible. The last thing I was going to look into was if the datalake hydration would capture it. I haven't had time to test it yet.
Thanks for your information.
Is it poosible to create, based on that community post, an feature request?
You can use the following Sophos Ideas page to submit the feature request. I recommend posting under the "Endpoint Protection" section.
Thanks you all for your help.
Here is the link of the feature request: https://ideas.sophos.com/forums/285723-endpoint-protection/suggestions/44366529-monitoring-blocked-powershell-events-if-blocked-by
Let's see if it gets implemented or not :).